Feat/testing security improvements

[caxtonacollins]

Testing & Security Improvements

Overview

Comprehensive implementation of testing and security enhancements across the Brain-Storm project, addressing issues #96, #97, #98, and #99.

Closes #96
Closes #97
Closes #98
Closes #99

Changes

Issue #97: ESLint and Prettier

• Added .eslintrc.js for backend with @typescript-eslint rules
• Added .eslintrc.js for frontend with React and TypeScript support
• Added .prettierrc at repo root with consistent formatting rules
• Added npm run lint, npm run lint:fix, npm run format:check, and npm run format scripts to both apps
• Updated package.json with ESLint and Prettier devDependencies

Issue #98: SonarCloud Static Analysis

• Created sonar-project.properties at repo root
• Configured coverage report paths for Jest (backend) and Vitest (frontend)
• Added SonarCloud GitHub Action to CI pipeline
• Set quality gate: coverage ≥ 70%, no new critical issues
• Updated Jest config to generate LCOV coverage reports

Issue #99: Cargo Audit & Deny

• Created deny.toml at repo root for Rust dependency policy enforcement
• Configured advisories to deny warnings on vulnerabilities
• Set up license allowlist (MIT, Apache-2.0, BSD variants, ISC, Unicode)
• Added cargo audit --deny warnings step to CI
• Added cargo deny check step to CI

Issue #96: OWASP ZAP Security Scanning

• Added OWASP ZAP baseline scan as GitHub Actions job
• Configured to target backend URL with full scan (-a flag)
• Uploads zap-report.html as CI artifact
• Fails CI if HIGH severity findings are detected
• Created docs/security.md with comprehensive security guidelines and triage workflow

CI/CD Updates

• Added linting steps to backend and frontend build jobs
• Added SonarCloud job for code quality analysis
• Added OWASP ZAP security scanning job
• Added cargo audit and cargo deny checks to contracts job
• All jobs properly configured with dependencies and error handling

Documentation

• Created docs/security.md with:
  • OWASP ZAP findings triage workflow
  • Common vulnerabilities and remediation steps
  • Local testing instructions
  • Cargo audit and deny usage guidelines
  • Code quality and linting best practices

Testing

All configurations have been validated:

• ESLint and Prettier configs are syntactically correct
• Package.json files are valid JSON with compatible dependency versions
• CI workflow YAML is properly formatted
• deny.toml follows cargo-deny specification
• sonar-project.properties is correctly configured

Breaking Changes

None. All changes are additive and backward compatible.

Migration Guide

No migration needed. Developers should:

1. Run npm install to get new devDependencies
2. Run npm run lint:fix and npm run format to fix existing code
3. Review docs/security.md for security best practices

[drips-wave]

@caxtonacollins Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits